Important Security Update to our User Portal

We have just released an important upgrade to our user and login services. This will change how you log in to your account and manage your security settings. As part of the roll-out, all users are required to update their passwords. Please make sure your email address is up to date, and - optionally - that you (re-)enable 2FA in the new user portal.

Note: If you are currently logged in, you can still use the site without having to update your password just now, however, towards the end of November 2019 all users will be logged out at which point everyone will be required to update their passwords.

What's happening?

Our new user portal includes vital security updates to our login, registration, password reset, Two-Factor Authentication and account recovery processes. As part of the upgrade, users will be required to log out and update their passwords to be at least 12 characters long - including at least one capital, at least one lowercase letter, as well as a number. Updated passwords in the new user portal will be secured with new, stronger encryption algorithms. This is a necessary upgrade to reinforce the security of your account data.

We have completely reworked our registration process to make it a cleaner and more straight forward process for new users. Our new registration system no longer makes use of the Invision Board forum registration system (though your logins, whether "old" or new, will still work on the forums). This change is something anyone who registered on the site within the past 6 years will know was needed, very much.

Why are we making this change?

Over the last few years, our developers have been dedicating a lot of time and resources to reducing our reliance on the Invision Board forum which was the foundation of our user service. It has now reached a point where the only way we can be confident in the security of our user data is to build a bespoke, modern user portal.

Due to its reliance on old IP Board code, we cannot vouch for the security of the current, dated user system, as vulnerabilities in old software code may or may not become exposed as time goes on. Such vulnerabilities could potentially be exploited by malicious actors, which is why our web team has spent a substantial amount of time upgrading the user system to bring it up to modern security standards.

We understand that this may cause inconveniences for some of you, but we are convinced that this is a necessary step that will ultimately benefit the vast majority of our current and future users.

What does this mean for me?

As part of the roll-out, all users will have to update their passwords, either now, or towards the end of November 2019 when all users will be logged out.

If you do not remember your password, you will be able to reset it via the new user portal that will send an email with further instructions to the email address linked to your Nexus Mods account.

Because it is our main way of identifying that you are the owner of your account, the email address that is linked with your Nexus Mods account is of paramount importance. Unfortunately, rolling out the new user service will mean that users who do not remember their passwords and - at the same time - no longer have access to the email linked to their account will lose access to their accounts. In this event, we will only be able to restore your account if you have purchased Supporter or Premium Membership in the past and send us the receipt for the purchase to [email protected]. If you are unable to recover your account due to this, you are more than welcome to register a new one.

Re-enable Two-Factor Authentication

Because the new user system comes with an upgraded 2FA system making use of authentication apps such as Google Authenticator and Authy, all users who were previously using our old 2FA system will have to re-enable it on the new user system in order to secure their accounts.

That being said - if you aren’t already - please consider following best practices for online security such as using a password manager, not reusing the same password across multiple sites, and always keeping your login credentials and emails up to date.

Foundations

Moving forward, the new user portal will be expanded upon to handle our Supporter and Premium Membership systems, along with other user-related services.

Once the team are confident that the launch has gone smoothly and the dust has settled a little, work will begin on improving the checkout, payment and management sections for Premium Members as well as the support and contact systems for users trying to reach us, the staff.

We have been thoroughly testing the new portal for weeks leading up to the release, but it's always possible we missed something. If you encounter a problem, please let us know on our bug tracker or by emailing [email protected].

408 comments

Comments locked

The new login page looks nice, Nexus. I appreciate the 2FA stuff. The e-mail thing from before was fine too imo but I'll add it to my Google Auth app, no problem.

Wish these other commenters could stop being so negative about every update you guys put out, but I guess they're taking it as a grave offense that they got minorly inconvenienced for one second and apparently that's enough to forget all the positives ¯\_(?)_/¯

I agree on the level of complaining, I'll take it a step further ... Stop whining like children. Most likely they weren't organized like an adult and don't keep secure records of their accounts/passwords. So, instead of admitting their incompetence they lash out. Grow up kiddies ... grandpa has spoken.

You'd be f***ing pissed if you got told to change your username because Nexus apparently can't tell the difference between Unicode (which can be problematic) and ASCII extended characters (which aren't) or do security and then told the username you need has been taken when it doesn't exist.

Logged in for the first time in a hot minute and all I can say is.... are you stupid? Adding restrictions to passwords makes them easier to crack because it reduces the possible combinations, it makes people more likely to pick something memorable which makes it more likely to appear in rainbow tables, and it makes people more likely to write them down - which obviously makes them less secure. The important parts of a strong password are: length, novel words. That's it.

Congratulations on making my account less secure by your asinine rule change.

i'll add some of my hate to this topic, this long passwords are stupid as hell as people start to write them down somewhere to not forget it and it makes it easier to find them outI set my password to something like YouAreBunchOfFuckingIdiots123 and sent it as reply to mail about password change cuz i knew that i won't forget the special password on only site that requires 12character long one and I would be reseting it every damn time, I actually don't remember the one i set around 2 weeks ago :v

This isn't directed at Nexus specifically, but rather is a general question for anyone who runs a web site. I still remember when LM Hash was considered secure because "computers will NEVER be able to crack 7 letters!" and then of course, it happened. First in hours, then in minutes, and now it takes milliseconds. The same thing will, inevitably, happen with 12 characters eventually. And then 13, then 14, and so on. There will come a day when a cell phone will crack a 250 character password using the full unicode character set in mere seconds, too. When that day comes, what do we do? Up it to 251 characters? Make password managers mandatory? What happens then the password managers become integrated into the OS and then THEY get hacked? What if your box gets flashed with a hacked CMOS and the hackers get to dictate the "random" seed your password manager uses?

In all of these cases, some of which are already happening today, the solution is simple: make account recovery easier instead of making account logins harder. This is the one and ONLY solution that actually scales. Put the onus for security on the user, then make that security easy for them. That is how you handle security properly. It may be harder for IT managers, but that's what you get paid $60k/year or more for. (And no, it's not for your knowledge. 99% of that stuff can be learned by any village idiot at every community college across the country. You are paid for your WORK, not your expertise, so work for it.)

Cryptographers are working on it. It's not a simple problem. I don't think doing account recovery every time you want to use it is going to work out that well, either, especially as it relies on email accounts, which, as you may be aware, can be stolen in the same way. How do you recover the recovery account?

Even better. Apply a simple check box that lets me use the same password I've always used and assume all the responsibility of doing so. That way I don't have to worry about forgetting these incredibly stupid password requirements. This is getting f***ing rediculous. Quiit trying to protect me from myself.

re: arms race, you're right, but keep in mind that the last time we had a major arms race, it bankrupted the USSR, nearly bankrupted the USA, and the fallout - thankfully only metaphorical - is still being dealt with today in places like Afghanistan. This is to say that perhaps the best idea is to just acknowledge defeat.

My suggestion? Mandate 2FA and then remove ALL password requirements since NO password requirement will EVER stop a determined hacker. If a hacker has to physically acquire my actual phone, I have security they can never crack in the form of my Beretta 391 Urika-II 12ga shotgun.

In any case, it should be noted that, unless someone manages to ascertain the server-side database at Nexus, their ability to crack any password, regardless of length, is severely hampered, and if they DO managed to get the database, then the security failure isn't on the users for having weak passwords, it's on Nexus for having weak security on their end. So, in effect, the changes they made don't accomplish anything. This is, and was never, about increasing security, because the innate delay involved in testing every attempt, combined with Nexus's extensive DDoS protection, means a remote hack through the web interface would take millennia even with a 6 or 7 character password. Instead, it's about shifting blame in the event of a hack, i.e. "it's not our fault for having weak security and allowing someone to get their hands on our account database, it's your fault for having a weak password!" Which is to say, BS.

Anyhow, just had to reset mine for the second time since these short-sighted rules were put in place. Before this, I've literally not had to reset it once in 4 years. These measures haven't stopped a single hacker, but they HAVE made the site less convenient for me, twice.

Yeah, sorry all, but I gotta agree that the new password requirements are a little over the top. This is a game forum/mod website. It's not like it's our bank account or a shopping site. Increasing the password length while keeping the complexity requirements is only going to serve to make more people use stupid passwords that can be guessed, etc.

If you want to make the password length longer, fine, I agree that increases security. But then drop the complexity requirements so that we can pick longer passwords while still being able to remember them.https://xkcd.com/936/

gotta agree here, a couple of my friends working web security talk about passwords all the time, and what i've picked up from it is that, while nothing guarantees security, complexity doesn't really make a notable difference, because your second biggest threat, right after someone breaking into a database and stealing user info, which from what i understand nothing the user can do will prevent, is bots mass guessing passwords from a pool of all possible passwords, but password length? each extra character makes the password take exponentially longer for the bot to guess

These password requirements are bullshit. I have no problem with requiring a longer password as that is the best way to make a secure password, but requiring all that other s*** just makes it harder for humans to remember them.

Set a minimum password length, sure. That's fine. But don't tell me what that password has to contain (numbers, upper and lower case, special characters, etc) and just let me create a password that I can f***ing remember!

2009? That was when I created my account, Zombie_Hunter. Are you sure you didn't drop all the extended characters from usernames in your database and that's why everyone is saying that the usernames they need are taken when they try to set another one?

Each time I search for Mystyk it says there's no user by that name. Great! I go to change my name to it and all of a sudden "username is taken." I guess no hyphen will have to do for now.

The password thing doesn't bother me. Captcha is a big old pain in the you know what. I used to be able to switch on my VPN to bypass it but, that doesn't seem to work anymore. Oh well. It's not like I had anything else to do today